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A secure quantum identification system combining a classical identification procedure and quantum key distribu- 
tion is proposed. Each identification sequence is always used just once and new sequences are "refuelled" from 
a shared provably secret key transferred through the quantum channel. Two identification protocols are devised. 
The first protocol can be applied when legitimate users have an unjammable public channel at their disposal. The 
deception probability is derived for the case of a noisy quantum channel. The second protocol employs uncondi- 
tionally secure authentication of information sent over the public channel, and thus it can be applied even in the 
case when an adversary is allowed to modify public communications. An experimental realization of a quantum 
identification system is described. 
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I. INTRODUCTION 

Electronic communications have become one of the 
main pillars of the modern society. Their utilization 
places new demands on the establishment of security of 
transmitted data. In everyday life there are many situa- 
tions when it is necessary to conceal the contents of in- 
formation conveyed over insecure communications lines, 
such as when databases containing confidential data on 
citizens are to be distributed among authorities, when fi- 
nancial transactions are performed between banks (or for 
electronic shopping over the Internet), or when we want 
to withdraw money from automated teller machines, and, 
of course, for military and diplomatic purposes. 

In all these instances, cryptography proves very help- 
ful. One of the basic cryptographic tasks is to certify the 
identities of the legitimate users of a communications line 
(traditionally called Alice and Bob) so that no third party 
monitoring their identification can impersonate either of 
them. Moreover, the system must be designed in such 
a way that after a successful mutual identification even 
Bob cannot later on pretend to someone else to be Alice 
and vice versa. 

Existing identification systems are merely computa- 
tionally secure, i.e., they rely on limited advancement 
of computer power, technologies, and mathematical al- 
gorithms in the foreseeable future. The construction of a 
quantum computer can seriously menace the security of 
classical identification systems. A quantum identification 
system was first proposed by C. Crepeau and L. Salvail 
in 0] . Their identification protocol is based on quantum 
oblivious transfer Alice and Bob mutually check 

their knowledge of a common secret string without dis- 
closing it. However, quantum oblivious transfer has been 
proved insecure against the so-called collective attacks 
by D. Mayers f§§, and H.-K. Lo and H.F. Chau @. Al- 
though to perform collective attacks is not possible with 



current technology, recent developments suggest that it 
might be possible in the near future. 

In the protocols proposed here, Alice and Bob check 
their common secret string in a classical way. To pre- 
vent from a later misuse, each identification sequence is 
used only once and the distribution of a new common 
secret string is achieved by means of quantum key dis- 
tribution (QKD). QKD, based on the BB84 protocol 0, 
has recently been proved secure against any collective 
attack allowed by quantum mechanics |^||, and thus it 
offers unconditional protection even against eavesdrop- 
pers possessing unlimited computational and technolog- 
ical power. QKD is capable to provide two users with 
a random shared secret string, whose secrecy is guar- 
anteed by the fundamental laws of quantum mechan- 
ics. Many papers have already been devoted to quan- 
tum cryptography . Let us mention only a few of them 
§|0||l|Jl|@g|| and the survey A large bibli- 

ography may also be found in p7| . 

In this paper, two protocols for quantum mutual iden- 
tification are presented. The first is designed for the case 
of an unjammable public channel. Since this requirement 
might appear too strong in practice, we also present a 
second protocol that utilizes unconditionally secure au- 
thentication of messages sent over the public channel. 
Both protocols have been implemented in a laboratory 
setup over a distance of 0.5 km. 



II. IDENTIFICATION WITH UNJAMMABLE 
OPEN CHANNEL 

On the assumption that the open channel used for com- 
munication during the quantum key distribution cannot 
be modified, a simple identification protocol can be im- 
plemented. The proposed identification protocol does not 
rely on quantum bit commitment or oblivious transfer, 



1 



but it is based on a simple classical identification method 
using each time a new identification sequence (i.e., the 
sequence is changed after each identification act, either 
successful or unsuccessful) . This method is secure in the 
following sense: a sufficient length of an identification 
sequence (IS) exists such that the probability of a suc- 
cess of an unauthorized user is smaller than an arbitrary 
small positive number. Since each IS may be used only 
once, the users need to regularly refuel their pools of se- 
quences. Here we are coming to the "quantum part" of 
the protocol. The well known quantum key distribution 
procedure (QKD) is well suitable to accomplish this 
task. Of course, a certain amount of secret information 
must be shared at the beginning. But later, the used 
ISs are replaced by new ones transmitted by means of 
QKD. A limited number of ISs could be stored, e.g., on 
a chip card and encrypted using a "personal identifica- 
tion number" (PIN). Owing to discarding each used IS, 
the probability of a success of an unauthorized user of 
the "lost" card depends on the number of stored ISs and 
on the length of the PIN (varying these parameters, this 
probability could be made arbitrarily small). 
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FIG. 1. Information as a function of error rate: Iab - in- 
formation shared by Alice and Bob, I op t - Eve's information 
gained using optimum eavesdropping strategy according to 
, Iumit ~ below this limit of Eve's information on the key, 
the deception probability in Protocol I can be made arbitrar- 
ily small by prolonging ISs. The intersection of Iumit and I op t 
shows the estimate of the upper bound of the error rate for 
the identification application following Protocol I. 

Let us note that there is no need to perform error cor- 
rection and privacy amplification |l(J after QKD. The 
correspondence between two compared ISs need not then 
be perfect, the errors being caused either by the imperfec- 
tions of the device or by eavesdropping. If the legitimate 
parties tolerate a certain small number of errors, then it 
is also necessary to suppose that an eavesdropper (Eve) 
could capture some information on new "refuelled" ISs by 
measurements on the quantum channel. The authorized 
users are able to estimate the amount of this informa- 



tion pi] . Nevertheless, if the ISs are long enough, this 
tap information is not sufficient for Eve to succeed in the 
identification procedure, at least if she can perform only 
separate and independent measurements on transmitted 
qubits (for the so-called coherent attack the situation is 
more complex). Strictly speaking, for error rates below a 
certain level, the deception probability can be made arbi- 
trarily small by prolonging ISs. For details see Appendix 
A. 

As an example, assume an error rate e = 0.01 (it can 
be seen in Fig. |l] that this error rate lies below the upper 
bound value e u b (Eq. A4)). For this error rate, the av- 
erage probability that Eve correctly guesses a bit, if she 
applies an optimum strategy, is approximately p = 0.6 
(this is computed from I opt - see Fig. [j] - using Eq. (65) 
in |2l]] and the definition of information). Then it fol- 
lows from Eq. |a| that for ISs of length A > 50 bits, the 
deception probability P(N,e) < 10~ 10 . 

The protocol consists of a three-pass exchange of ISs 
and it can be realized as follows. Note that Alice and 
Bob must initially share several triads of ISs. 



Protocol I (unjammable open channel) 



• Alice and Bob say each other their ordinal numbers 
of IS triads in the stack - a pointer to the first 
Alice's (Bob's) unused sequence - and choose the 
higher one if they differ. 

• — Alice sends the first IS of the triad to Bob. 

— Bob checks whether it agrees with his copy. If 
not, Bob aborts communication and shifts his 
pointer to the next triad. Otherwise, he sends 
the second IS of the triad to Alice. 

— Alice compares whether her and Bob's second 
ISs agree. If not, she aborts communication 
and shifts her pointer. Otherwise, she sends 
the third IS to Bob. If Bob finds it correct, 
the identification is successfully finished. 

• To replace the used ISs, Alice and Bob "refuel" new 
ISs by means of QKD and set the pointers to their 
initial positions. 

Three passes are necessary for the following reason: An 
eavesdropper (Eve) can pretend to be Bob and get the 
first IS from Alice. Of course, Alice recognizes that Eve 
is not Bob because Eve cannot send the correct second 
IS. So Alice aborts connection and discards this triad 
(i.e., shifts the pointer to the next one). However, later 
on Eve could turn to Bob and impersonate Alice. She 
knows the first IS! Bob can recognize a dishonest Eve 
just only because she does not know the third IS. 

Another possibility would be to have only one IS and 
to send alternately one bit from Alice to Bob and one 
from Bob to Alice. The communication is aborted when 
an admissible number of errors is exceeded. However, the 
derivation of deception probability is more complicated 
in this case. 
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III. IDENTIFICATION WITH AUTHENTICATED 
PUBLIC DISCUSSION 

In practice, the "auxiliary" information transmitted 
through the open channel during QKD could be modi- 
fied, as it is difficult to create a physically unjammable 
classical channel. Therefore authentication of the mes- 
sages sent over the open channel is necessary. This proce- 
dure requires additional "key" material to be stored and 
transmitted in a similar way as ISs (again, each "key" 
may be used just once). This authentication, however, 
can be utilized for the identification itself. A three-pass 
authenticated public discussion, performed during QKD, 
can function as the three-pass exchange of ISs described 
in the preceeding section. 

However, there are several problems. First, it would 
be more difficult to estimate Eve's chances to succeed 
in the identification, if a certain number of errors were 
allowed in the quantum distributed key, because the au- 
thentication tag depends not only on the "key" (or IS) 
but also on the message itself. So, it is necessary (or, 
at least, simpler) to execute error correction and privacy 
amplification. 

The second problem is more subtle. For quantum cryp- 
tography to provide unconditional security, the procedure 
used for authentication of public discussion must also be 
unconditionally secure, not only computationally. Such 
authentication algorithms exist |18|. These algorithms 
are based on the so-called orthogonal arrays . It can 
be shown, however, that the length (in bits, e.g.) of an 
"authentication key" must always be greater than the 
length of the authenticated message. If m is the number 
of all possible messages, k the number of keys, and n 
the number of all possible authentication tags, it can be 
proved using methods of orthogonal arrays theory that 

K > m(n — 1) + 1. 

Now it is straightforward to show that 

K > m, if n > 2. 

An example of an authentication protocol is given in Ap- 
pendix B. 

This fact represents a difficulty for QKD. The length 
in bits of the messages communicated over the public 
channel is always greater than the length of transmitted 
"quantum" key. For each qubit at least one bit of infor- 
mation about the basis chosen by Alice and one bit about 
the basis chosen by Bob must be interchanged. Only 
about one half of all successfully received qubits can be 
used as a key (requirement of coincidence of bases). Be- 
sides, part of the key has to be sacrificed and compared 
by Alice and Bob in order to detect potential eavesdrop- 
ping, which is also done through the open channel. So 
there is not enough "quantum" key material to replace 
the used bits for the next authentication even in the case 
one does not intend to use the transmitted "quantum" 
key (or its part) for other purposes. 



The way out of this impasse is to realize that it is not 
necessary to authenticate all parts of the public discus- 
sion done during QKD. 

The most important and characteristic property of 
quantum cryptography is that any attempt at eavesdrop- 
ping inevitably increases the number of errors in the 
transmitted key. Thus it is necessary to prevent Eve 
from modifying in any way the part of public discus- 
sion connected with the error-rate estimation. Therefore, 
messages containing the sacrificed part of the "quantum" 
key (including corresponding bases and positions of sac- 
rificed bits) have to be authenticated. Any modification 
of the rest of public communication could impair QKD, 
but would not jeopardize the security of the system. This 
check on error rate should be performed as the first step 
of the public discussion, even before the establishment 
of the sifted key by comparison of bases! Otherwise a 
malicious Eve could manipulate the non-authenticated 
public transmission for her benefit. She could, e.g., ex- 
change separate sifted keys with Alice and Bob and then 
choose only those bits where the choice of bases coin- 
cides for all three of them, thus obtaining full knowledge 
of the key without increasing the error rate (at the cost 
of decreasing the transmission rate). 

An important question is the length of the sacrificed 
subset that serves the error-rate estimation. Alice and 
Bob agree on a maximum tolerable error rate £ max , whose 
value must be lower than the theoretical limit for a safe 
noisy quantum channel. Several such limits have been 
derived in the literature for different kinds of Eve's at- 
tacks (2^^] , nevertheless the ultimate value for the most 
general attack is not known at present. In Appendix C 
we give a derivation of the length of the subset and the 
limiting error-rate estimate £n m Alice and Bob can ac- 
cept so that the probability that the actual error rate 
is higher than s max , is lower than a prescribed "safety 
parameter" 6. 

Provided that Alice and Bob initially share a pool of 
secret information, the identification procedure consists 
of the following steps: 



Protocol II (authenticated open channel) 



• Alice and Bob first perform transmission over the 
quantum channel according to the BB84 protocol, 
i.e., Alice randomly alternates two bases and two 
bit values, while Bob records detections in ran- 
domly chosen bases (raw quantum transmission). 

• Alice and Bob say each other their addresses in the 
pool of shared secret information - a pointer to the 
first Alice's (Bob's) unused bit - and choose the 
higher one if they differ. Then follows a three-pass 
authenticated public discussion that serves the esti- 
mation of the error rate and mutual identification: 

— Bob sends to Alice an authenticated message 
containing the positions of bits randomly se- 
lected for error-rate estimation. 
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— Alice checks authentication and aborts com- 
munication if it fails. Otherwise she sends 
back to Bob an authenticated message con- 
taining the bases and bit values of the selected 
qubits. 

— Bob checks authentication and aborts commu- 
nication if it fails. Next he compares bases 
of the selected subset and retains only those 
qubits where his and Alice's bases coincide. At 
last, he estimates error rate. He sends to Alice 
an authenticated message to inform her that 
identification was successful and to convey the 
value of the error-rate estimate. Alice checks 
authentication and aborts communication if it 
fails. 

• If the error-rate estimate is lower than a maximum 
tolerable error rate £n m , Alice and Bob compare 
bases of the rest of their raw data and arrive at their 
sifted keys. Otherwise they suspect Eve of listen- 
ing in and cannot safely use the just accomplished 
quantum transmission to establish new shared se- 
cret sequences. 

• Then they perform error correction and privacy 
amplification procedures and arrive at an error-free 
distilled key. The level of privacy amplification is 
based on e max . 

• Alice and Bob refuel their shared secret informa- 
tion. 

The used authentication sequences are always thrown 
away. The length of the raw quantum transmission must 
be selected such that the length of the newly obtained 
distilled key is greater than the number of bits consumed 
for authentication/identification purposes. It is conve- 
nient if it covers several unsuccessful identification acts. 
We give concrete figures in Section 0. 



IV. DESCRIPTION OF THE APPARATUS 

The experimental implementation of our system is 
based on an intcrferometric setup (i.e., on phase cod- 
ing) with time multiplexing. It consists of two unbal- 
anced fibre Mach-Zehnder interferometers (see Fig. ||). 
The path difference (2 m) of the arms of each interfer- 
ometer is larger than the width of the laser pulse (its 
duration is 4 ns). Interference occurs at the outputs of 
the second interferometer for pulses "taking" long-short 
or short-long paths. These paths are of the same length 
and are indistinguishable. Each of these interferometers 
represents the main part of the "terminals" of both com- 
municating parties. The terminals are interconnected by 
a 0.5 km single mode optical fibre acting as a quantum 
channel, and by a classical channel (local computer net- 
work). As a light source, a semiconductor pulsed laser 



with a repetition rate of 100 kHz operating at 830 nm 
is used. Laser pulses are attenuated by a computer- 
controlled attenuator so that the intensity level at the 
output of the first interferometer is below 1 photon per 
pulse on the average. The accuracy of this setting is mon- 
itored by detector D3. Polarization properties of light in 
the interferometers are controlled by polarization con- 
trollers PoC. To balance the lengths of the arms, an air 
gap AG with a remotely controlled gap-width is used. 
The phase coding is performed by means of two planar 
electro-optic phase modulators PM (one at each termi- 
nal). To achieve high interference visibility, the splitting 
ratio of the last combiner must approach 50:50 as closely 
as possible (see Q). Therefore a variable ratio coupler 
VRC is employed there. With this setup, it is possible 
to reach visibilities well above 99.5%. The total losses of 
the second interferometer do not exceed 4.5 dB. 
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FIG. 2. A scheme of the optical part of the built quantum 
identification system. El. Att. - electronic attenuator, PoC 
- polarization controllers, PM - planar electro-optic phase 
modulators, ATT - attenuators, Pol - polarizers, C - fibre 
couplers, VRC - variable ratio coupler, AG - air gap. 

Detectors D1-D3 are single photon counting modules 
with Si-avalanche photodiodes. Their output signals 
are processed by detection electronics based on time-to- 
amplitude converters and single channel analyzers. Both 
terminals are fully driven by computers. The interferom- 
eters are placed in polystyrene thermo-isolating boxes. 
Together with automatic active stabilization of interfer- 
ence, it enables us to reach low error rates (0.3-0.4 %) 
with data transmission rates of the order of several kbits 
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per second. 



V. PRACTICAL IMPLEMENTATION 
(PROTOCOL II) 

To estimate the error rate of the just completed quan- 
tum transmission, Alice and Bob sacrifice a subset of 
their raw data and publicly compare bit values. It is im- 
portant that this is the first step of processing the raw 
data obtained from the transmission over the quantum 
channel. The selection of bit positions for the subset 
must be completely random so that Eve has no a priori 
information about which bits may appear in the subset. 

Let us first focus on the authenticated part of public 
discussion. We choose the length of the subset 2s = 2000 
bits. If the "safety parameter" 5 = 10~ 10 is required, we 
must reject all raw quantum transmissions for which we 
obtain error-rate estimate e cs t > 2.4% (see Appendix C 
for details). If the total of TV laser pulses have been used 
for the raw quantum transmission, we need 

• 2s[log 2 N] + a bits to convey and authenticate po- 
sitions of selected bits, 

• 4s + a bits to convey authenticated bases and bit 
values of the selected bits, and, 

• say, 32 + a bits to convey the final message whether 
everything is OK or not. 

Here [x] denotes the smallest integer larger than x, and 
a > [logaCV^)] i s the length of the authentication tag 
(see Appendix B). We use a = 61. In total this gives the 
requirement to share at least 



6 min = 2s([log 2 A] + 2) + 32- 



3a 



(1) 



secret bits initially. 

The length of the sifted key we obtain depends on the 
intensity of laser pulses \i at the output of Alice's inter- 
ferometer, on the transmissivity of the communications 
line fyxL (0.63 in our device), transmissivity of Bob's in- 
terferometer ?7bob (0.35), and the quantum efficiency of 
detectors ??det (0.55). This yields overall transmissivity 
t] — ?7tl?/bob?7det = 0.12 and we obtain a sifted key of 
the average length 



No 



\ruiN. 



(2) 



The error correction and privacy amplification proce- 
dures we use are basically those used by Bennett et al. 
|fl0f Jj. We have empirically found that after error correc- 



*The improved techniques of |2^,M, enabling a more rigor- 
ous determination of the fraction of key bits to_he discarded 
[ B5| , can also be used, and very recent results of [M show how 
to incorporate more sophisticated quantum non-demolition 
measurement instead of a beamsplitting attack. 



tion we are left with approximately 

N c = (1 - 2.7s 2/3 )N s 

bits, e being the actual error rate. At last, privacy am- 
plification leaves us with 
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bits of distilled key!. The second term on the r.h.s. of 
Eq. (||) expresses the number of bits Eve could obtain by 
beamsplitting ||ic| with the capability of replacement of 
the lossy communications line by a line of 7^tl = 1 , while 
Alice and Bob tolerate a drop in the data rate to one half 
of the expected valuecl. The third term contains the num- 
ber of bits Eve could obtain by a probe interaction attack 
with the possibility of delayed (after the announcement of 
the bases but before error correction and privacy .anipli- 
fication) measurements on individual photons pl"[l. The 
fourth term is a 5-standard-deviations safeguard, whose 
derivation is analogous to that in |l(J). The last term is 
a privacy amplification compression that decreases Eve's 
information to 5 bits. Collective attacks are not included, 
as no bound on the information an eavesdropper can get 
through a collective attack has been derived yet; it has 
just been proved that such a bound exists H|JI|. Prelimi- 
nary results on coherent eavesdropping also suggest that 
it does not seem to substantially increase Eve's informa- 
tion ||]. 

We have optimized this relation to maximize the ra- 
tio N D /N. For our system (77 = 0.12, e = 0.004) with 
the choice £ max = 0.07 and 2s = 2000), we have found 
an optimum average intensity /i « 0.8 photon per pulse 
(Fig. ||). This value represents a trade-off between the 
number of pulses successfully detected by Bob and the 
reduction of the length of the key caused by privacy am- 
plification, and sensitively depends on the overall losses 
of the system. The ratio Nd /N depends only weakly on 
S so that it is easy to achieve an arbitrary security level. 

It is worth noting that for sufficiently low /1, the ratio 
bmin/Nrj converges to zero with increasing N so that it 
is always possible to generate more new shared secret 



^Eq. (g) is valid for |i<l,a general relation is somewhat 
clumsy and we do not give it here. 

'The intensity at Bob's side also fluctuates for several physi- 
cal reasons, therefore it is not reasonable to limit the intensity 
drop caused by eavesdropping in a too restrictive way. 

§In fact, this number represents the information Eve could 
obtain, which may not necessarily be in the form of a set of 
deterministic bits. 
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bits than it is consumed for authentication. Therefore 
authenticated QKD may be regarded as an "expander" 
of shared secret information, once the ratio r = Nu /^min 
is greater than 1. For our system, we get r = 1 for 
N = 3.1 x 10 6 laser pulses (see Fig. |). 
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FIG. 3. The dependence of the number of laser pulses N 
needed to generate as much distilled key (Eq. ^ as it is con- 
sumed for authentication during identification (Eq. |l|) on the 
intensity p of laser pulses at the output of Alice's interfer- 
ometer for three different values of the transmissivity of the 
communications line t]tl- The higher the losses of the trans- 
mission line (or its length), the lower must be the intensity 
at the output of Alice's interferometer and the greater is the 
number of laser pulses needed to generate enough distilled key. 
We can see that the optimum intensity is about 0.8 photon 
per pulse in our case (t]tl = 0.63). 

The whole identification procedure starts with raw 
quantum transmission. In our experimental setup, we 
generate raw key data at sequences of 320,000 laser 
pulses. After each sequence, active stabilization of the 
interferometers is performed to ensure low error rate de- 
spite environmental perturbations. This yields an aver- 
age raw key data rate of cca 5.7 kbits per second. Once 
about 600,000 photons are successfully detected by Bob 
(we want r > 2), a three-pass authenticated public dis- 
cussion is performed according to Protocol II described 
above. If all three authentications are found correct, Al- 
ice and Bob have mutually identified themselves. If, in 
addition, the computed error-rate estimate falls below 
the value ei; m , they are able to refuel new secret key ma- 
terial. 

They start doing this by comparing the bases of the 
rest of the raw key data, thus arriving at approximately 
300 kbits of sifted key. As final steps, they perform er- 
ror correction and privacy amplification procedures. The 
level of privacy amplification is based on £ max and the 
"security parameter" 5, as follows from Eq. (||). For our 
usual error rates of 0.3-0.4%, Alice and Bob obtain about 
117 kbits of distilled key generated at an average rate of 
650 bits per second. This well covers approximately 50 
kbits of previously shared secret key material consumed 



during the authenticated discussion. Let us note that we 
did not perform any special optimization of data rate, the 
bottlenecks being here the way we drive the equipment 
from PCs and the bandwidth of the detection electronics 
we used. Nevertheless, in our setup the whole identifi- 
cation procedure takes less than 3 minutes (including all 
auxiliary processes). 

VI. CONCLUSIONS 

We have discussed the possibility to utilize the advan- 
tages of quantum cryptography for mutual identification. 
Quantum key distribution can serve as a source to "con- 
tinuously" supply shared secret key material for classical 
identification methods, which employ one key just for one 
identification act. For the case of an unjammable open 
channel and a noisy quantum channel, a simple identifi- 
cation protocol has been proposed and deception prob- 
ability has been derived. For a more realistic situation 
of a jammable open channel, an identification protocol 
employing authentication of public discussion has been 
devised. A laboratory prototype of the identification 
system has been built. It is based on a "one-photon" 
interferometric method and on the quantum transmis- 
sion protocol BB84. The main physical parameters are 
following: distance 0.5 km, wavelength 830 nm, raw data 
rate about 5 kbits per sec, distilled key generation rate 
650 bits per sec, error rate in the range 0.3-0.4 %. 
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APPENDIX A: DECEPTION PROBABILITY 

Let us denote e the error rate of the device. Let the 
length of IS be N and let us tolerate maximally k = [eN] 
errors in the identification procedure ([x] denotes the 
smallest integer greater than x). If Eve's measurements 
are independent and if the probability that Eve correctly 
guesses the i-th bit in the sequence is Pi, then the prob- 
ability that Eve succeeds in the identification is 

w = E £ (f[p)(u q f-)- (ad 

<=0{ii...i*} \j=l ) \m=l ll ™J 

Here qi = (1 — pi) and the second sum goes over all l- 
tuples of numbers from 1 to AT (for I = there is only 
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^ Pj). Employing Jensen's inequality pq , one can find 
that 



JV 



with 



1 W 

Further, realizing that forp > 1/2 the expression q/p < 1 
is valid and that for £ < k the inequality (^) < (*) ( ^) 
holds, one finally obtains the deception probability: 



P(N,e) < (p) N 2 k 
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The question is for which p and s the linijv— >oo P{N, e) — 
[i.e., when P can be made arbitrarily small by increas- 
ing TV]. It can be shown that if < limjv->oo /3(TV) < 1 
then lim A r^ 00 [/3(TV)] A ' = and if limjv^oo P(N) > 1 then 
lirnzv— ►oo[/3(TV)]'' v = oo (/3(TV) is an arbitrary function of 
TV). Thus for each e, a probability p CT %t 



Pcrit 



lim 2' k ' n 



-l/l 



(A3) 



may be defined such that for all p < p cr u, the limit 
limjv^oo P(N, e) = 0. The graph in Fig. [I] shows av- 
erage information per bit Iu m it = 1 + Pcrit log 2 (Pcr»t ) + 
(1 - Pcrit) log 2 (l - Pent) corresponding to p crit together 
with mutual information of Alice and Bob Iab and Eve's 
information gained by optimal eavesdropping strategy 
I op t — Iae = Ieb (see Q Eq. (65)) as a function of 
error rate e. The intersection of Iu m it and I op t deter- 
mines the estimation of the upper bound of the error 
rate for this identification application: 



e ub « 0.066. 



(A4) 



A disputative question might be the case of collective 
(or coherent) attacks when the probabilities of the cor- 
rect guesses of particular bits need not be independent 
anymore and then the probability P(N, e) may decrease 
with increasing TV more slowly in comparison with the 
previous case. 



APPENDIX B: EXAMPLE OF 
AUTHENTICATION PROTOCOL 

If probabilities of impersonification are to be the same 
for all possible pairs (message, authentication tag), then 
there exists an orthogonal array that serves as a base 
for an authentication code. In such a case the deception 
probability, defined as a maximum from the above men- 
tioned probabilities of impersonification, is minimal and 



is equal to the reciprocal of the number of all possible 
authentication tags. 

There is a class of orthogonal arrays that enables us 
to construct reasonable authentication codes (lq] . If p is 
prime and d > 2 is an integer, an authentication code can 
be created for (p d — l)/(p — 1) messages with p d keys and 
p authentication tags (the deception probability is p^ 1 ). 
For a given message and a given authentication key, the 
authentication tag can be calculated as follows: 

1. Convert a given authentication key to the number 
system of the base p (its maximal length in this 
system is d). Let us denote the «-th "digit" by r». 

2. Construct and order all non-zero "numbers" in the 
number system of the base p of the maximum 
length d that have the first non-zero "digit" from 
the left equal to 1 [there are (p d — l)/(p — 1) such 
numbers] . A one-to-one mapping exists between all 
possible messages and all "numbers" (or sequences) 
from this set. Assign the corresponding "number" 
(the ordering of the "numbers" is assumed to be 
fixed) to the message to be authenticated. Let the 
i-th "digit" of that particular "number" be denoted 
by Cj. 

3. The authentication tag is given by the equation 

d 

Air, c) = TiCi mod p. 

i=l 

As a practical example (used in implementation of 
Protocol II), we have chosen p — 2 61 — 1 (it's prime) 
and d = 739. Then the deception probability is about 
5 • 10~ 19 . The length of the key is 45079 bits, the length 
of the message can be up to 45017 bits and the authen- 
tication tag consist of 61 bits. 

By the way, in case of p of this form it is not neces- 
sary to make the conversion of item (1) above. One can 
just create groups consisting of 61 random bits. What is 
only necessary is to discard groups containing all 61 ones 
(the probability of appearance of such a group is deuced 
small) . 



APPENDIX C: DERIVATION OF THE LENGTH 
OF SUBSET FOR ERROR-RATE ESTIMATION 

Let us suppose that we select a subset of length 2s. 
After comparison of bases, s bits will be retained on the 
average. Provided that the actual error rate is e, the 
probability that we find k errors in the subset of length 
s (i.e., the error-rate estimate is e C st = k/s) is given by 



P(£ es t\s) 



s-k 



(CI) 



Applying Bayes' theorem, the probability that the actual 
error rate is e, when the estimate is £ C st = k/s, is given 
by 
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p(e\e e 



(C2) 



Here we assume a uniform distribution of s. We are now 
interested in finding a limiting value ei; m such that for 
all £cst < £iim the probability 



P(e > £max) = J p{e\e cst )de < 6, 



(C3) 



where a small positive number 8 denotes the "security 
parameter" . In Fig. ^ we plot the solution of the equation 



/ E L{ geiim ( 1 - £ ) 1 " Elim } J<fe 
fi{e^{l-ey-^} s de 



(C4) 



with respect to eii m for several values of 8. A maxi- 
mum acceptable error rate e max = 0.07 has been cho- 
sen, which is well below the lowest security limit derived 
so far (0.146) @. The graph in Fig. | should be un- 
derstood as follows: Once we select a suitable value for 
the subset length, s, and the "security parameter" 8, the 
corresponding curve suggests a limiting value for the esti- 
mated error level, above which the transmitted sequence 
should be rejected as it cannot be guaranteed to have the 
actual error rate e < £ max with the required probability 
1-8. 




200 400 600 800 1000 1200 1400 1600 1800 2000 

Subset size s 

FIG. 4. The dependence of limiting value £ii m on a sub- 
set size s for different values of the "security parameter" 8, 
when a maximum error rate of e m ax = 0.07 is tolerated (see 



Eq. 04). A subset of the length 2s is randomly selected from 



raw quantum data which yields s bits with coincident bases 
on the average. Quantum transmission is considered insecure 
(i.e., the probability of the actual error rate e being higher 
than £ m ax is not lower than 8), if the error-rate estimate e ea t 
obtained from the subset check exceeds the value £n m . In 
our case we choose s = 1000 and 8 — 10 -10 , and we find 
eita, « 2.4%. 
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